The Confidentiality Coalition and the Workgroup for Electronic Data Interchange penned a letter March 24 to HHS and the U.S. Commerce Department, urging better protections for patient health data on third-party applications.
The two groups say while some organizations that develop apps, such as payers and health systems, are covered under HIPAA, they are concerned with "the lack of robust privacy standards applicable to the large percentage of third-party application developers not associated with covered entities and therefore not covered under HIPAA and the fact that there currently is no federally recognized certification or accreditation for these apps."
The letter says a national cybersecurity framework is needed to prevent the exposure of patient's private health data through some third-party applications.
The letter offers these five recommendations:
- Release additional guidance on the types of third-party app security and privacy verification that will be permitted, and allow covered entities to review third-party apps before permitting them to connect to their app programming interfaces.
- Require entities that are not HIPAA covered entities or business associates to give clear disclosures to users regarding what kind of data they are collecting, what it is being used for, and that the data they collect is not subject to HIPAA.
- Work with the private sector to develop a privacy and security accreditation or certification framework for third-party apps, and permit covered entities to limit the use of their app programming interfaces to third-party apps that have agreed to abide by the framework.
- Apply similar security requirements in the private sector as CMS applies to its Blue Button 2.0 and DPC initiatives, requiring all third-party apps seeking to access protected health information via provider or health plan app programming interfaces to prove adherence to a strict set of privacy and security guidelines or successfully complete a CMS-approved security certification.
- Partner with groups like the Confidentiality Coalition, WEDI and other professional associations in the development and deployment of education aimed at a wide range of consumers and covered entities.
The Confidentiality Coalition is a group of payers, providers, hospitals, medical manufacturers, pharmacies and other health organizations that advocates for effective patient confidentiality protections. WEDI is a nonprofit group for users of electronic data exchange in healthcare that provides guidance on how to use knowledge and resources to improve healthcare quality, access and costs.